View Show Notes and Transcript

Episode Description

What We Discuss with Francesco Cipollone

  • Multi-Cloud
  • Multiple languages to manage multiple cloud environments – Azure scripts vs AWS scripts
  • Maturity of cloud security ?
  • CSA – Cloud Control Matrix
  • Strong presence of AWS in US & Australia
  • Strong presence of Azure in Europe
  • And much more…

Thanks Francesco Cipollone!

If you enjoyed this session with Francesco Cipollone,, let him know by clicking on the link below and sending him a quick shout out at Twitter:

Click here to thank Francesco Cipollone, on Linkedin!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.

Resources from This Episode:

Ashish Rajan: [00:00:00] Welcome to cloud security podcast. And today we have a special guests from UK Francesco and well, I have been following your work on LinkedIn for a while, Twitter for a while, for people who don’t know you, how do you share who is friendship? 


Francesco Cipollone: Thank you for having me I think wear many hats. So one of the hats they wear is of course, as probably you met me is the head of cloud security Alliance for UK now. 


And we do anything cause related and we try to secure. And give recommendation to a semi or a big organization, how to secure their environment. We’re not for profit, but we’re on a number of events. And of course we’re associated with all big B sister. That is the cloud superior lions. That is the guys that’s brought 27,018 in 17 without the standard for the class. 


So we started, we started the cloud security from the scratch, and then I think you might have come across me with the mentoring Monday podcast, where we do similar things as, as you do where we get people involved. In [00:01:00] security, we get a totally the to come in and talk to us and talk to our community of people to start in security. 


And we run different teams. And of course I’m heading there. NSC 42. That is my security consultancy here in London. And we do application security and of course cards and whatever I’m going to say today, though, it doesn’t represent any of my clients or any organization. So it just purely my opinion, just 


Ashish Rajan: But before we go into this. Cool. So cloud security is an interesting one for a lot of people where a lot of people have different definition of what cloud security is. What does cloud security mean for you? 


Francesco Cipollone: I just tripped it down even to just pure security. When I say security, just doing things right. 


And nowadays security, especially when, when the, when the first transformation that I’ve been involved in were kicking off. I had a lot of people really, especially on the security, if you’re really scared. Okay, how do I protect my data? I used to keep it safe in my network, in my environment now is going to the cloud. 


What is the cloud? How do I control the [00:02:00] access? Everybody getting crazy. And we saw probably four or five years ago. The first thing blowing out with S3 buckets completely open. And we did address probably not, not taking a security strength approach on the cloud because they wanted adoption first. 


Security for the cloud is really starting to. Consider what is effectively your client’s policy, your organizational policy, what is security for you? And then applying the same nonfunctional requirement to each product and decide which product are you going to use, which product you’re not going to use in start small. 


And that’s how I recommend all my clients to say, start small, start with a very told, full structural product that you want to use environment. And how do you want to configure the minimal part and not the stuff. And it’s really important to start from the foundation, because if you get the foundation wrong, correcting it down the line, like. 


Created a network, nothing proper, probably if you’re having segmented, correcting things in production is always, always really painful. So [00:03:00] get some thinking cap on, especially at the beginning of the transformation, if you don’t know how to contact people that have done this or contact the cloud secure Alliance, we offer free consultancy. 


To actually how to get started and how to kick off the security strategy. And there are two or three of my talks on that and really the basic thing to, to do when you start the cloud transformation, what do you have consider? 


Ashish Rajan: Right. I didn’t know. A cloud security Alliance actually had frequently. 


Francesco Cipollone: Yeah. 


I mean, we have, we, we’re on a we’re on meetups. We’re on if you’re a member you can come to our calls. We run members calls where you just network with with people. And you can ask those question when you have a community of people, we’re out of the white papers, but we tend to help organization getting up to speed with the cloud. 


And we partnered up with AWS, Microsoft. And Google on trying to get more basic training, for example, TCA in the UK, 


Ashish Rajan: taking a step back because for people who may be new to the cloud and they’ve met, they may be listening to cloud security Alliance for the first time they bring security may have heard about it for, for a while. 


[00:04:00] How do you explain what cloud security Alliance. 


Francesco Cipollone: So the cloud security Alliance, if you want, in a nutshell is a non for profit that wrote the regional standard on the cloud. And then we started getting more and more people involve in, in, in cloud transformation or they were doing cloud transformation and effectively started as a network of people. 


And we started publishing out all the material or the white papers, all the standards, It was in the back of our mind. And one of the big standard that we publish was there a CCM and the cloud control matrix that is effectively a guideline of all the controls that are available, and how they map to all the standards. 


So if you don’t know where to start start with the division of responsibilities, you know, RCCS. No body of knowledge. I don’t remember exactly the chapter, but there is a full chapter dedicated on understanding. What are you responsible in from a security perspective? What the cloud provider is responsible and then move to the next step, identifying the controller, identifying the stuff. 


And if you don’t know, find a local chapter in your [00:05:00] country, in your area and get in touch with the people with the peers and ask the question. If. Probably I can find it out, find it out for 


Ashish Rajan: you. And it’s not one. I probably would. I should start one, I guess maybe I should reach out to you for that separately, 


Francesco Cipollone: but absolutely. 


Yeah. Guidance. 


Ashish Rajan: Perfect. I guess the next question is what, so we spoke about cloud security and transformation that a lot of people are going through. What is multi cloud for you? And if Modi got really a thing people should consider. 


Francesco Cipollone: No, no. When you start, we had a stream of, and you’re going to know this about me. 


I’m very strongly opinionated about certain things, but I know, but we had these, this stream of things and people going crazy with multicloud, but if you just. The issue of spinning up environment in Azure with scripts and then doing the same stuff with Terra formation on other, other cloud, we already have two different standards of PowerShell and Terrell formation. 


And then you have maybe obstruction layers that you put in front of to actually say, you know what? I can create a script that actually configure with stuff with Azure or stuff with [00:06:00] AWS, but they, this Terrell formation is already behind. On cloud formation. And as you PowerShell in term of library in term of service that you can use, so you have already two versions. 


So is if you start in the cloud, just out in one location, we do it very simple. The only recommendation on my give is effectively considered backup in another environment in another cloud provider. Always want to see the cost that is involved in extracting information out of the cloud provider, because it’s really easy to get data in, but it’s really expensive to get data out. 


So you should really consider that. And the other element that I consider to ex-corporate from the Cal provider that can lock you in really badly is identity. So choose an external identity provider that provides you EDLE with MFA, MFA, hold their account. If, if anything, you do insecurity, just MFA all the accounts. 


I’m not going to start the controversial on their SMS and another form of 


Ashish Rajan: authentication. 


Francesco Cipollone: if you can just out indicate or, or, or Microsoft authenticator or whatever software base authenticator [00:07:00] you can use, if nothing, just using SMS, but at least MSA two factor. 


Ashish Rajan: And I think because you said. Because usually people say MFA for admin accounts and for someone who’s accessing the pads on infrastructure. 


But do you recommend using MFA for read-only users to the cloud platforms as well? Or 


Francesco Cipollone: why not? MFA? Well, ideally for anybody that has Drydex is because it can cause havoc in your environment, even if it’s a small environment, a read-only user enumeration, I’d just say anybody that can do a numeration is going to be a way. 


Okay, so, 


Ashish Rajan: all right. So why not? No, sorry. Yes. 


Francesco Cipollone: I’m a fin to everything. If you need, if you need to choose because you have license because you have reason to not apply MFA everywhere. I would say start with a right on the account with the. So at means or sub admin account of a yeah. Now 


Ashish Rajan: I guess to your point, multicloud may not make sense in the beginning. 


Once you grow big enough, like I guess, you know, big four bank or a consultant or not to falling from, but more, internet companies at that [00:08:00] stage. Does multicloud still makes sense for you? I guess. 


Francesco Cipollone: I still doesn’t. I mean, on certain exception, like I’ve seen CRM on the cloud, leave them, have the life on a different cloud provider. 


I’ve seen backup on a different cloud. I see identities, but the bulk of. Yeah, because of all the automation, because of all the customization on the script tend to ultimately land on one provider. And even in, in big organization, what I’ve seen is you have stream of ports and stream of a piece of the organization that goes completely on one cloud or configure on the cloud, but you don’t see much hybrid in a single one. 


If you take, for example I don’t know, probably the top. Couple top three American banks without naming names. They’re on, on AWS. Here in the UK, I think is a bit of a, of a mix and hybrid, but you still see banks or you still see big organization that orient themselves towards one provider because first expertise is really hard to have. 


Multiple expertise is very hard [00:09:00] to find security on, on one cloud. Think about cloud. Then customization of scrapes service becomes really customized. You can start writing stuff in PowerShell, then you move to Terra, formation of cloud formation for AWS, and then you’ve right. Customization stuff for GCP, for example, and then compliance you all. 


You have three compliance engine, you end up with three compliance engine. So it really. A lot of work. So what I recommend is stick to one cloud and on the, on specific use case consider different countries. Sure. 


Ashish Rajan: And to your point about seeking the one cloud, is there a way to measure a cloud security or your maturity of cloud security in an environment? 


Francesco Cipollone: That’s a really good question. I think there are a few. Kind of assessment, all that are says, the environment as a whole of course the cloud providers have, their own engines. You have as your Azure security center to measure your compliance, to work towards SIS, that is center of internet standard that deployed their own. 


They [00:10:00] created their own standards for a number of things. So as you are, has his own embedded one, AWS has started his own with security center while security center. Oh, shield or CPT, how Ben shields. Thing Salesforce has started towards that direction. GCP has for safety. That is a configurable rule engine where you can configure your own set of rules so you can achieve Canon assessment or compliance. 


But the majority of stuff that I see is manual compliance model assessment, and they, and the CCM can, can offer for Manolo. Did the manual assessment, a good guideline or. Have you considered these a few considered these a few conservatism considering it has multiple domains, from backup to accounts to, encryption and stuff like that. 


Again, I’ll have a one-stop shop where you can order your, your environment and then get better at it by automating that with this compliance centric. 


Ashish Rajan: Right. And how often do you recommend, you know, how Ben that’s kind of happens every time? There’s a change in design from here to that. There’s an ordered that happens once 


in an [00:11:00] ideal world, I was defeated in an ideal world and this would happen or a design changes or a new platform. How often do you recommend people do assessments of their cloud security material? 


Francesco Cipollone: I would say one supplies for years when they start in because, or maybe more frequently, depending on the number of service they introduce. 


If you’re doing a good initial assessment and initial strategy and transformation, then you don’t need to do that more often because you have already decided the number of service that you introduce. Continuously assess the service or whenever you introduce new service, make sure that they are compliant with your own policy and then assess the environment as a whole. 


So if you think about it, that design for the environment, wouldn’t change that frequently. You have probably the three tier or the two tiers, the connectivity. That will then change their frequency. What they change is the service that you have inside and how you hard and the virus I don’t know, obligation, or how do you use the various service? 


So that recertified frequency, once or twice for years, any daily you [00:12:00] would run continuous compliance with. With the engineer just mentioned, like for safety, for GCP, for example, when you start creating a rules, like I don’t want any in these environment, other ones, anything that is web facing, you can create a rule to actually say, I don’t want any connectivity or any route that goes outside that continues the assessment that you don’t have to assess yourself 


Ashish Rajan: for throat. 


I think that’s kind of where being more cloud native. So it says from the cloud kind of makes sense as well, because to your point earlier, all three cloud providers, all the, all the three major public cloud providers are offering services there, you can kind of do assess. We don’t have to go to an external person. 


You can set the foundation, right. And you measure them yourself. I think that’s, that’s kind of like the key for why. 


Francesco Cipollone: Well, they attempt to use a venti controversial argument going. So now if you need funding from your board, so to an external assessment, to a pen test, if you need to demonstrate from an external party that tells you exactly the stuff, but assess the things yourself, or do continuous compliance because there is [00:13:00] nobody better. 


Your cell phone telling what security is for your organization. That’s right. Firstly, 


Ashish Rajan: with the context as well, because to your point, a pentest report would be generic for all. This is public, but it’s supposed to be public is something that the company would know, but not. 


Francesco Cipollone: Yeah. Don’t you have to tell the pen, test that, those information. 


So either way you’re better off achieving continuous compliance and doing an assessment yourself. It’s hard. It’s definitely hard, but with the stuff to the cloud secure, lion’s introduced and the more we go in of white paper and. Recommendation that we’re going to introduce as actually have a way forward. 


Ashish Rajan: Do see I guess to your point earlier about a lot of organizations tend to go to a one particular cloud and then some of them divergent become hybrids, eh, I guess, is it a trend you’re seeing between, because you do a lot of talking in us as well. Like what is the trend you’re seeing in terms of. I don’t want to say who’s winning public cloud race, but what do you see as like a upcoming thing? 


Because I guess we have a lot of listeners who may be starting off in cloud security. And then like, we spoke about a lot of services offline that, you know, how many [00:14:00] thousands being released by AWS Azure, Google cloud, where do they go for? Where do they shop? Where should they start? I guess if someone was looking at doing something in cloud security, where should they be focused? 


Francesco Cipollone: So, while I’m going to say is just purely observation that I’ve seen here. And there is not just any representation of the classic airlines, all my clients. So with that out I will definitely say that I’ve seen a very, very, very strong presence on AWS. In in the us with the pure reason because they started that tactic market that, so they crafted the sales specifically for 10 market. 


In fact, it’s really much, it’s pretty much engineering led. The us has a very strong engineering mindset and product mindset. So that is a really strong. And powerful combination. If you go to the Europe to Europe where you have less engineers or left development happening all the time, and Microsoft is more embedded in the enterprise, naturally, Microsoft have done that [00:15:00] with as your active directory and office 365 things naturally. 


So have landed things natural. And then it expanded from there, with this. And as you were just a bank in of active directory, then you had, offices, 65 taking over, and then as you are expanding in the number of service, really in the last three years, Asia and Australia, I think Australia is pretty much aligned with the us in the use of AWS. 


Asia is a bit of a mixed bag, but I don’t have an eyes on it. Yeah, GCP GCP is a little bit more particular because I’ve seen GCP rating over on very niche product, like analytics, where they have really, really strong being Google and being, and having that analytics engine that they can reuse or although of AI as a service and function that they sell based on the aquarium. 


But is definitely taking a speed and pace with the computer engine and they kind of serve as the introducing. So it’s said it’d be lagging behind, but [00:16:00] this is taking over. This really depends on how your company is structured. So if it has more engineers than definitely go on AWS, if it’s less engineers, and if you want something to start in a more easy way, as you tend to be more friendly and tend to have more friends than. 


Right. It really depends. The one evaluation. See, what’s easier for you to configure and what fulfills your requirements. So if you need. Customization requirement. I will suggest go ahead of this. Or if you need specific service, evaluate all the providers, if you want easy and for configuration GCP or as your can offer a good starting point. 


Ashish Rajan: Oh cool. That’s a good segue into our next segment is called myth. In MythBusters, basically the first question is what are the most common cloud security myths that you come across 


Francesco Cipollone: cloud is secure or insecure and depends. It depends by, by who has done the first 


Ashish Rajan: marketing. Oh, and how do you bust this myth? 


Like what is European. 


Francesco Cipollone: The clouds tend to be more secure than any [00:17:00] organization that I’ve came across. It’s all a matter of configuration, honestly. If you think about at an AWS or as your or GCP, they fundamentally have tons and tons of clients. Different different environment and they are potentially regulated by all the regulation earth. 


So they will have a scrutiny that is definitely bigger than your organization. They have a security level that is if they lose on that, they lose the business. So they feed that services. I have to scratch what is, what tend to fail a lot in the, in cloud providers and what people say the cloud is secure. 


The cloud is not secure is the configuration aspect of it. So the security of data inside the cloud. So trust your cloud provider to do the physical part and to do what they are responsible, but understand really what you’re responsible as a user. Off the cloud and what you need to secure inside the cloud. 


So the configuration aspect of the service in the cloud and how you configure cloud is nothing different than, than a data center somewhere else. It just, they [00:18:00] put an API in front of it so that you can configure it programmatically. 


Ashish Rajan: Yeah, that’s right. But I think a lot of people just kind of misunderstand to be misunderstand cloud, to be this, this really unique unicorn, for lack of a better word, that they have no idea how to react to. 


So the next question after this is, do you feel cloud security is becoming a conversation at the C level like C level folks are taking it seriously? 


Francesco Cipollone: It depends. It depends where the business is. It depends how well educated the business is on the specific subject. I see a lot of buzzwords and hype happening on the cloud where. 


Somebody goes to a conference and all their peers are calls and they’re doing cloud stuff. Hence it comes back and say we shall be cloud or a lot of conference oriented, for example, on the scam on years and what have been on. Some of these being breached, I’m not going to name names, but we had few bridges on the cloud of, in, in the past six months for misconfiguration. 


So at that point everybody’s scared and everybody say the [00:19:00] cloud is insecure. We shall be, shall pay more attention. And it happens all the time. So make busted on that, just look at your organization. What is security for your organization and apply the same principles that you apply on prem on the 


Ashish Rajan: cloud. 


And what is something that people are not talking enough about in cloud security? 


Francesco Cipollone: I think I revert back to the configuration aspect and the unmanned configuration aspect. So a lot of the issue, well, if anything, 99% of the issue that was in breaches that we’ve seen in the cloud was because somebody configured something in a different way that wasn’t secure and. 


If you remove the human aspect out of the configuration. And if you say this is how I want to configure my environment and I make it consistent across the board and I’ll make it repeatable with scraped or Terra formation with template, the cloud formation template for AWS or RCA CD pipeline that then deploys my configuration automatically. 


Then at least that will ensure [00:20:00] consistency of configuration around specifics. Yup. Yup. 


Ashish Rajan: Cool. Kind of coming toward the end of a thing as well, before we go into almost our fun section. I just have one more question. You mentioned breach earlier. Is there a breach that you were part of or did. Shared stories of, 


Francesco Cipollone: I can’t disclose, I have no vision and I can’t 


Ashish Rajan: disclose that. 


I tried, I tried 


This is the last segment. It’s a fun questions. Where do you spend most time on when you’re not working on cloud or security? 


Francesco Cipollone: Geez. I spend tons of time on the, on community events. So I do a lot of public speaking. I do a lot of mentoring, so I have four and five mentees, are trying to get preference to a woman in cyber. 


So I’m a big sponsor, a woman in cyber security. My main mentor, Jim Franklin is a woman. Massive respect her for. All the work she does. So I’ve taken on me to actually mentor, other female. Mentees is extremely challenging being a male align this work, but it’s getting better. So I do a lot of community events. 


I do a lot of talks, so upon re-up with [00:21:00] recent flight time school. So I do a lot of talks on their engineering community to get them up to speed on security, follow Fridays, a lot of videos I’m constantly on, on social media. Conference and yeah, when I’m not doing that, I mean, in the gym or running or. 


I try to carve out a little bit of time for myself when I’m traveling and trying to enjoy the place. I’m a big whiskey fan. So have a huge whiskey collection, massive cabinet, always key. So I’m collecting whiskey and I’ll go with my friends enjoying whiskey. So I started small whiskey community around the world. 


Ashish Rajan: That is pretty awesome. I’m a big, big whiskey fan as on my phone, so I can dirty appreciate that. Which one is your favorite? Ooh, it’s interesting. Because recently we did my wife and I discovered there is a Japanese version of. I would come back with your name. I’ll send you a picture of a thing I bought at the airport. 


Like really? Yeah. Anyway, I can go on about different discipline dollars to the podcast talking about whiskey. The I guess it’s sort of quickly shout out with Jane Franklin as well. Cause we had her as a guest [00:22:00] a few weeks, I guess you have to sorta go, but she was pretty lovely lady. The next question for. 


Fun section is what is something that you are proud of, but it is not only a social. 


Francesco Cipollone: I am massively on social. So I’m going to struggle on that. Let’s see. I guess I know I’m, I’m pretty big on whiskey, on social as well. So everybody knows that I’m with a whiskey guy. I don’t think it’s, it’s good to be proud of whiskey calling. 


No. 


Ashish Rajan: The tough one, maybe a follow Friday or mentoring, I 


Francesco Cipollone: guess. Yeah. I mean, yeah. A lot of my life has been a lot on social, so I’ve been massively probably on the activity. If I can take anything, is the satisfaction of any mentee that says how much I’ve done for them and the recognition. So sometimes. 


You know, you’re in the stream of thoughts you’re doing, doing, doing, and you don’t recognize any more the work that you do, or how much how much you give back to people. And when somebody asks you recognize their effort or recognize the good thing that come from you, or, somebody new just says, for example, I really appreciate the podcast. 


I think it has given me a lot of. Those kinds of things. I’m really proud [00:23:00] of because first of all, they shocked me because I’m so much into it though comes naturally. So it’s the gratification that comes back from it and it’s also giving back so cool. I’m proud of any, any contribution. And if I can inject a little bit of security inside the brain of somebody that somebody new 


Ashish Rajan: family to use MFA or locking them. 


Yes, 


Francesco Cipollone: yes. We actually have run. They actually did run a massive campaign, MFA everything, and we got two or three companies with Tanya, Jim and John to actually start offering MSA as part of us bashing them. If. Yeah. If, if, if people can start asking for I’m a fake globally, then company was started listening and we started deploying MFA more frequently. 


So. If anything, if your organization doesn’t offer him a favor, stop bashing at them and say if ever did or off the road. 


Ashish Rajan: But unfortunately we do a lot of, I think I’ve been handling MFA and locking machines for a, that those are topical things in my mind. Every time I talk about this basic security hygiene, last question. 


What is your favorite [00:24:00] cuisine and or favorite restaurant? 


Francesco Cipollone: I’m Italian. So I, life, I say this on like pizza or Italian or pasta, but I am massive fan of Thai, really? Yeah. Well, I was in Bangkok for almost a year. I was fishing in Bangkok with the UN for almost a year. So I’ve really started enjoying the type he’s in and yeah, it’s really spicy food is one of my thing. 


But yeah, if, if Asian, Asian cuisine and specifically Tai Tai in Korean on my field as well, 


Ashish Rajan: Yeah, 


9:00 AM over here, but I feel like it’s almost like I probably shouldn’t be having Korean barbecue. That’s a good one that it’s like, it’s going to be heavy on, 


but not dude. Thanks so much for your time, man. That was pretty much the, I really appreciate you spending the time on this, man. 


Francesco Cipollone: I appreciate your time.